Thursday, November 29, 2018

VyprVPN 是世界上第一个经过公开审核的无日志VPN服务

自从我们2009年成立以来,Golden Frog一直致力于做正确的事情,坚定不移地投身于互联网 。 我们是一个小团队,致力于为人们提供更好的隐私,安全和互联网自由。

当我们创建Golden Frog并推出 VyprVPN时, 我们认为记录最少量的 VPN服务数据会极大地改善用户在使用VPN时的体验。 我们将这些数据保持在最低限度,并专注于用数据帮助提高速度,性能,可靠性和故障排除。 我为能够谈论VPN行业的问题和在记录日志问题上保持与用户的透明沟通而感到自豪。

我们以前记录并保留30天的内容:

  • 客户的源IP地址(通常是用户ISP分配的IP地址)
  • VyprVPN分配给 用户 的 IP地址
  • 连接开始和结束时间
  • 使用的总字节数

如今,我很高兴地宣布,VyprVPN的现在是零日志(No Log)的VPN服务了 !

为什么我们改为零日志 ?

在过去的一年中,我们收到了来自客户,政策合作伙伴和VPN市场的重要反馈,即VPN提供商记录任何用户活动都会削弱对VPN服务本身的信任。

但是,引爆点是当Wirecutter发布他们对最佳VPN的评选时,我看到我们的一位用户在Twitter上询问为什么VyprVPN被排除在名单之外。

因此,尽管我们是世界上历史最悠久的VPN提供商之一,并且我们觉得我们一直在努力保护人们的隐私,但我们的最小日志记录使我们无法进入他们最佳VPN的名单。 哇。

显然,人们对VPN公司的期待已经发生了变化,我们必须做点什么了。人们要求公司提供更多隐私,这是件好事。我希望这种积极趋势能继续下去。

由于我们的服务在过去十年中已经成熟 , 我们在运行全球VPN网络方面变得更有经验, 以至于最小化日志记录的必要性已经大大减少。 我们已经找到了更好的方法来提高性能并击败欺诈者,而无需用户的连接信息。

这难道不就只是一次单纯的营销活动吗?

一些VPN提供商声称他们的服务是完全匿名的,但是后来又被发现他们其实会把用户数据交给当局,我们对此的批评一直直言不讳。我们对VPN行业的新进入者提出了合理的担忧,这些新进入者承诺提供隐私,但却提供了相反的结果, 同时向用户隐瞒这一事实。 我们担心人们对VPN的信任正在被侵蚀,如果人们不能相信一个VPN能保护隐私,用户就会停止用VPN对数据加密。 我们认为需要采取果断行动。 这就是我们与民主与技术中心(The Center for Democracy & Technology)合作的原因,我们在在过去的一年里创造了 “值得信赖的VPN的信号“(”Signals of Trustworthy VPNs”)的报告, 这样用户可以更好地理解向他们VPN 提供商提出什么问题 。 这是一个良好的开端, 我们鼓励更多的VPN提供商为了消费者的利益回答这些问题。

如何改变话题以及对VPN行业提出挑战?

当我们在今年夏天决定成为零日志VPN时,我们想要做更多的事情来创建信任,而不仅仅是使用零日志的营销语言和更新我们的网站上的隐私政策 。我们希望能够改变话题并进一步挑战VPN行业。

因此,我们决定聘请一个受人尊敬的独立审计团队,以确保当我们说“零日志“(“ No Log “)时, 用户可以信任我们,而不会觉得我们是说一套做一套VPN提供商。经过广泛的研究,我们聘请了利维坦安全(Leviathan Security)进行独立审计,并确保期间没有关于个人身份的信息被收集。你没必要相信我们(虽然我认为你应该),但我们希望你能信任利维坦安全团队,他们证明了我们已经实现了零日志的诺言。

所以,我很自豪地宣布,我们是世界上第一个通过公开审核的零日志 VPN提供商。当然,这听起来像营销语言,但我们的工程师肯定不这么认为!我们的团队与利维坦安全团队的团队密切合作,解决他们在调查过程中出现的所有问题。 我们允许利维坦完全访问我们的服务器,应用程序,程序代码等等 – 我们让他们进行了最仔细的查验。

我们花了很多时间修改并确保我们的服务器系统不会记录与您的连接有关的任何信息。 这包括VPN服务器,身份验证服务器,API服务器等。日常连接日志记录的路径很容易修改,但技术团队更进一步,在整个后端软件套件中进行了大量的日志记录修改,以确保即使是在意外情况下日志记录也不会发生。利维坦验证了我们所有的改动。

我们的应用开发团队也参与进来。他们审核了应用程序并提供了更新版本,以确保应用程序或操作系统记录的设备上的任何日志仅在您明确许可下才能发送给我们。利维坦再次证实了我们的所有承诺。 我们的技术团队花了很多时间确保这一切不仅仅是营销活动。

我为我们的工程团队感到非常自豪,他们与利维坦密切合作以获得这一荣誉。他们都值得我们的认可,我非常感谢他们的努力。感谢你们!

您可以在这里阅读来自利维坦安全的完整报告:VyprVPN 隐私审计

接下来是什么?

首先,我们不仅要做出承诺,我们必须继续履行承诺 。服务器基础架构,桌面应用和移动应用程序是一个有机的,不断变化的系统。我们必须妥善应对改变,并继续履行对用户的承诺。

其次,我向其他VPN提供商提出挑战,希望他们也对如何处理用户数据进行审计,为他们的用户的创造更多的信任 ,这样有助于建立人们对VPN服务的总体信任感。我赞赏 Tunnelbear 的 安全审计, 我希望他们每年继续这样做。我还希望他们对如何处理用户数据进行审计,而不仅仅是服务的安全性。我们也在考虑在不久的将来进行安全性审计。

我仍然相信尽管很多VPN提供商承诺保护用户隐私,但是他们依赖第三方托管公司来运行他们在全球的服务器 – 这样的承诺很难让人完全信服。我们很幸运 – 我们不租赁,我们拥有自己的服务器。 我想看看对其他VPN提供商的审计是否会提到我对第三方托管服务商侵犯用户隐私的担忧。

Facebook在联邦贸易委员会(Federal Trade Commission)的要求下进行了由普华永道(PricewaterhouseCoopers)主导的审计,那次审计并没有发现剑桥分析公司(Cambridge Analytica)的大规模滥用行为。 因此,并非所有的审计都是平等,公正的。但是,如果我们生活在一个世界,那里公司们都在辩论哪家审计供应商更值得信赖,而不是哪种营销语言更值得信赖,那么这就是我宁愿生活的世界。

第三,我希望这次审计能够成为其他处理用户数据的公司的灯塔,而不仅仅是隐私公司。现实情况是,几乎所有公司都在处理用户信息,而且对用户信息的滥用,错用无处不在。被收集的数据量和种类都在增加。Alexa,我没说错吧?因此,消费者比以往任何时候都的值得拥有私密性和透明沟通,展开全方位的审计将会是与消费者建立信任的良好开端。

中国人有句谚语说:“种树的最好时机是二十年前。其次就是现在。” 这句话在隐私审计当中同样适用。所以开始行动就对了。做一些事情,做任何事情,然后与你的用户分享。

来源:https://ift.tt/2Q6dH3t

目前VyprVPN官方促销,优惠力度很大,需要的可以看看,购买地址https://www.goldenfrog.com/zh/vyprvpn/world-cup-special?offer_id=235&aff_id=4579

随着GFW封锁的加剧VyprVPN也不能全服务器IP可连接了,这些天测试都是北美洲及亚洲国家在不断更换被封IP,其他洲不少都很久没有新可用IP了,其实中国大陆用户一般都是翻墙上外网,没有那么多服务器需求,有香港、台湾、新加坡、日本、韩国、美国西部(西雅图、洛杉矶等),最多加个英国德国法国,其他地区的服务器基本是没人用的,希望他们可以推出个确保10几个服务器大陆可连接的特价套餐,降低成本来降低定价!



via iGFW https://ift.tt/2RncUYs

Thursday, November 22, 2018

Windscribe VPN——终身无限流量高级VPN只需35美元

Windscribe VPN是国外一家知名的VPN服务商,Windscribe VPN Pro版官方提供win、mac、ios和安卓客户端,另外还支持生成OpenVPN、 IKEv2 VPN和SOCKS5配置手动设置VPN连接,Pro版拥有台湾、日本、韩国、香港、新加坡、美国、英国、德国等50多个国家100多个城市的VPN服务器,官方客户端还有支持Google chrome和firefox浏览器的插件版,使用简单方便。

Windscribe VPN在StackSocial特卖网站做活动,官网两年要89美元的,现在终身服务稳定速度快无限流量无限设备同时连接VPN只需35美元,价格非常实惠,不容错过。

购买地址https://stacksocial.com/sales/windscribe-vpn-lifetime-pro-subscription?rid=4992791     购买时使用优惠码BFSAVE40

 

Windscribe VPN手动设置http2 proxy的方法参考https://www.igfw.net/archives/13666  (http2代理可以在win、mac、linux上使用Google Chrome+Proxy SwitchyOmega,安卓系统上可以使用Firefox+Proxy SwitchyOmega,另外安卓系统上建议手动设置IKEv2 VPN连接,其官方安卓客户端很久没有更新不好用了)



via iGFW https://ift.tt/2DSluv7

Wednesday, November 14, 2018

流行免费 VPN 被发现大部分来自中国

Metric Labs 的调查发现, Google Play Store 和 Apple Store 里的流行免费 VPN 应用有大约六成由中国开发者开发或中国人所有。这一发现引发了数据隐私方面的担忧。研究人员分析了 Google 和苹果应用商店里的 top 20 free VPN apps,这些应用的下载量多在 100 万以上,结果如图所示,超过一半为中国开发者所有。此外,这些 免费 VPN 基本上不存在隐私保护,用户支持也很少。 通过这些 VPN 的用户数据可能会被记录下来,最糟糕的情况可能是数据会被提供给中国政府。

来源:https://ift.tt/2DFXIT4



via iGFW https://ift.tt/2QKLGe6

Tuesday, November 6, 2018

New release: Tor 0.3.4.9

We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.3.4.9 from the download page on the website. Packages should be available within the next several weeks, with a new Tor Browser by mid-December.

Tor 0.3.4.9 is the second stable release in its series; it backports numerous fixes, including a fix for a bandwidth management bug that was causing memory exhaustion on relays. Anyone running an earlier version of Tor 0.3.4.9 should upgrade.

Changes In Version 0.3.4.9 – 2018-11-02

  • Major bugfixes (compilation, backport from 0.3.5.3-alpha):
    • Fix compilation on ARM (and other less-used CPUs) when compiling with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
    • Make sure Tor bootstraps and works properly if only the ControlPort is set. Prior to this fix, Tor would only bootstrap when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (relay, backport from 0.3.5.3-alpha):
    • When our write bandwidth limit is exhausted, stop writing on the connection. Previously, we had a typo in the code that would make us stop reading instead, leading to relay connections being stuck indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
    • Fix a use-after-free error that could be caused by passing Tor an impossible set of options that would fail during options_act(). Fixes bug 27708; bugfix on 0.3.3.1-alpha.
  • Minor features (continuous integration, backport from 0.3.5.1-alpha):
    • Don’t do a distcheck with –disable-module-dirauth in Travis. Implements ticket 27252.
    • Only run one online rust build in Travis, to reduce network errors. Skip offline rust builds on Travis for Linux gcc, because they’re redundant. Implements ticket 27252.
    • Skip gcc on OSX in Travis CI, because it’s rarely used. Skip a duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on Linux with default settings, because all the non-default builds use gcc on Linux. Implements ticket 27252.
  • Minor features (continuous integration, backport from 0.3.5.3-alpha):
    • Use the Travis Homebrew addon to install packages on macOS during Travis CI. The package list is the same, but the Homebrew addon does not do a `brew update` by default. Implements ticket 27738.
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 Country database. Closes ticket 27991.
  • Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
    • Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
    • Avoid undefined behavior in an end-of-string check when parsing the BEGIN line in a directory object. Fixes bug 28202; bugfix on 0.2.0.3-alpha.
  • Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
    • Only install the necessary mingw packages during our appveyor builds. This change makes the build a little faster, and prevents a conflict with a preinstalled mingw openssl that appveyor now ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
  • Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
    • Rewrite our assertion macros so that they no longer suppress the compiler’s -Wparentheses warnings. Fixes bug 27709; bugfix
  • Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
    • Stop reinstalling identical packages in our Windows CI. Fixes bug 27464; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
    • Log additional info when we get a relay that shares an ed25519 ID with a different relay, instead making a BUG() warning. Fixes bug 27800; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
    • Avoid a double-close when shutting down a stalled directory connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
    • Fix a bug warning when closing an HTTP tunnel connection due to an HTTP request we couldn’t handle. Fixes bug 26470; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
    • Ensure circuitmux queues are empty before scheduling or sending padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
    • When the onion service directory can’t be created or has the wrong permissions, do not log a stack trace. Fixes bug 27335; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
    • Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    • When selecting a v3 rendezvous point, don’t only look at the protover, but also check whether the curve25519 onion key is present. This way we avoid picking a relay that supports the v3 rendezvous but for which we don’t have the microdescriptor. Fixes bug 27797; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (protover, backport from 0.3.5.3-alpha):
    • Reject protocol names containing bytes other than alphanumeric characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.
  • Minor bugfixes (rust, backport from 0.3.5.1-alpha):
    • Compute protover votes correctly in the rust version of the protover code. Previously, the protover rewrite in 24031 allowed repeated votes from the same voter for the same protocol version to be counted multiple times in protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc.
    • Reject protover names that contain invalid characters. Fixes bug 27687; bugfix on 0.3.3.1-alpha.
  • Minor bugfixes (rust, backport from 0.3.5.2-alpha):
    • protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc.
  • Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
    • Fix an API mismatch in the rust implementation of protover_compute_vote(). This bug could have caused crashes on any directory authorities running Tor with Rust (which we do not yet recommend). Fixes bug 27741; bugfix on 0.3.3.6.
  • Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
    • Fix a potential null dereference in protover_all_supported(). Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    • Return a string that can be safely freed by C code, not one created by the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix on 0.3.3.1-alpha.
  • Minor bugfixes (testing, backport from 0.3.5.1-alpha):
    • If a unit test running in a subprocess exits abnormally or with a nonzero status code, treat the test as having failed, even if the test reported success. Without this fix, memory leaks don’t cause the tests to fail, even with LeakSanitizer. Fixes bug 27658; bugfix on 0.2.2.4-alpha.
  • Minor bugfixes (testing, backport from 0.3.5.3-alpha):
    • Make the hs_service tests use the same time source when creating the introduction point and when testing it. Now tests work better on very slow systems like ARM or Travis. Fixes bug 27810; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
    • Treat backtrace test failures as expected on BSD-derived systems (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. (FreeBSD failures have been treated as expected since 18204 in 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

原文:https://blog.torproject.org/new-release-tor-0349



via 细节的力量 https://ift.tt/2QpvGxZ

New Release: Tor Browser for Android 1.0a3

Tor Browser for Android 1.0a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers.

Unfortunately, in this release we are temporarily introducing a regression due to a potential proxy-bypass bug within some versions of Android. Tor Browser for Android will not download a website’s “favicon” in this release (the small image shown beside the title of the webpage in the list of tabs). From our investigation into this bug, we found Android versions before Android Oreo (Android version 7 and earlier, API level 25 and earlier) leak some information about which webpage the browser is loading. This was corrected in newer versions of Android, however this temporary regression is necessary because it is likely most users have an older version of Android, and there may be other bugs we haven’t discovered yet. One bug in the Android networking code is one bug too many. We are working on a new way of downloading these icons.

The full changelog since Tor Browser for Android 1.0a2 is:

  • Update Firefox to 60.3.0esr
  • Update Torbutton to 2.1.1
  • Update HTTPS Everywhere to 2018.9.19
  • Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
  • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
  • Bug 28125: Prevent proxy-bypass bug by Android networking library

原文:https://blog.torproject.org/new-release-tor-browser-android-10a3



via 细节的力量 https://ift.tt/2Phr8x2

New Release: Tor Browser 8.5a4

Tor Browser 8.5a4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Highlights in Tor Browser 8.5a4 are a new Tor alpha version, 0.3.5.3-alpha, a fixed layout of our macOS installer window and Stylo (Mozilla’s new CSS engine) being enabled on macOS after fixing a reproducibility issues. Please report any problems you find with those macOS related changes as we think about backporting them for the stable series.

Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers and provide Tor Browser on all supported platforms in four additional locales: cs, el, hu, and ka.

Note: It turned out it was a bit premature to ship the new locales as we did not catch bugs in them last minute, so we don’t make them available on our download page. Sorry for the inconvenience.

The full changelog since Tor Browser 8.5a3 is:

  • All Platforms
    • Update Firefox to 60.3.0esr
    • Update Tor to 0.3.5.3-alpha
    • Update Torbutton to 2.1.1
    • Update Tor Launcher to 0.2.17
    • Update HTTPS Everywhere to 2018.9.19
    • Update NoScript to 10.1.9.9
    • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
    • Bug 27905: Fix many occurrences of “Firefox” in about:preferences
    • Bug 28082: Add locales cs, el, hu, ka
  • Windows
    • Bug 21704: Abort install if CPU is missing SSE2 support
    • Bug 28002: Fix the precomplete file in the en-US installer
  • OS X
    • Bug 26263: App icon positioned incorrectly in macOS DMG installer window
    • Bug 26475: Fix Stylo related reproducibilitiy issue
  • Linux
    • Bug 26475: Fix Stylo related reproducibilitiy issue
    • Bug 28022: Use `/usr/bin/env bash` for bash invocation
  • Android
    • Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
  • Build System
    • All Platforms
      • Bug 27218: Generate multiple Tor Browser bundles in parallel
    • Windows
    • OS X

原文:https://blog.torproject.org/new-release-tor-browser-85a4



via 细节的力量 https://ift.tt/2Qp72gV

无界浏览18.05正式版 (2018年11月5日)

谢谢大家都测试反馈,请升级到18.05,旧版有时会连接不上或速度慢。

执行版:
http://wujieliulan.com/download/u1805.exe
SHA256:40b1b85a494c25c22a7fe7b7985dfe7a5ecac725f5c06485137cb47e0920ccd7
SHA512:3a172fd962d90c2ac934fba0edc82467d75d64935e78a8a8e1c509c37931ade0dd293349084cd30ac7739db90b028045547ac8c62adf4b4d9679941b5dc7843c
压缩版:
http://wujieliulan.com/download/u1805.zip
SHA256:85d6c3b90a16e85aedfd0aaf3578270bbc5e38358b7c7a26c2da78195d0886e5
SHA512:4d8111d9d8983936405462aeda8b2453f688915238bf34aac8b30dcf652e663ecb95a6cf5216c9fac15eb67cd87a6216e91108832f5bd3c72099ebfa82841c81

原文:http://forums.internetfreedom.org/index.php?topic=23243.0



via 细节的力量 https://ift.tt/2PgFeys